Heap overflow if UDT type is used with protocol 5.0

Has a CVE been assigned for this issue? If not, could you please apply for one via MITRE https://cveform.mitre.org/ so that all distributions can be aware of and ensure they fix this issue? Given the fix is public, is there a reason to keep this bug private?

Hi,
  CVE was not assigned. I will ping the reported to get it assigned.
In the temporary patch is not clear is fixing a specific security issue,
the path of the security issue is not really readable from the code
either so I think it's not a problem if that fix is public. This will let
people the time to update the packages.

Frediano

Il giorno gio 11 lug 2019 alle ore 06:41 Alex Murray <
<email address hidden>> ha scritto:

> Has a CVE been assigned for this issue? If not, could you please apply
> for one via MITRE https://cveform.mitre.org/ so that all distributions
> can be aware of and ensure they fix this issue? Given the fix is public,
> is there a reason to keep this bug private?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1835896
>
> Title:
> Heap overflow if UDT type is used with protocol 5.0
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/freetds/+bug/1835896/+subscriptions
>

Is the temporary patch https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac expected to be the final and authoritative fix for this issue? In general, we wouldn't normally keep security bugs private when the fix is already out-in-the-open since smart hackers can usually reverse engineer these things to deduce the presence of a bug just from the commit which fixes it. However, this is your bug so you get to make the call - although once CVE is announced publicly then the bug should become public too regardless.

Thanks for bringing this to our attention though - once a CVE is assigned we will add it to our internal tracker - can you also please let us know when the public disclosure date is expected to be?

Il giorno gio 11 lug 2019 alle ore 12:20 Alex Murray <
<email address hidden>> ha scritto:

> Is the temporary patch
>
> https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
> expected to be the final and authoritative fix for this issue? In
>

The patch fixes the security issue.
On the other hand the path of exploitation reveals that there are also some
missing checks
and some conditions should be handled in a different way.
So I'll write tests for this and will handle checks more robustly to remove
other similar possibilities in the future.

> general, we wouldn't normally keep security bugs private when the fix is
> already out-in-the-open since smart hackers can usually reverse engineer
> these things to deduce the presence of a bug just from the commit which
> fixes it. However, this is your bug so you get to make the call -
>

Usually it makes sense. In this case it's far from clear that this is a
security
fix (usually is very clear) so I adopted this uncommon process.
I think in the future patches (I'll obviously wait till packages are out,
at least
3 months) I'll explain all the security issue and quote the CVE.

> although once CVE is announced publicly then the bug should become
> public too regardless.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1835896
>
> Title:
> Heap overflow if UDT type is used with protocol 5.0
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/freetds/+bug/1835896/+subscriptions
>

CVE is CVE-2019-13508

Hello Frediano; have you had any success with upstreams on this issue? I notice only one newer commit to this repo, and it looks unrelated.

Thanks

Commit is still https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac.

Hi!

Is the CVE information public now? Can we make this bug public so that we can fix the issue?

Thanks!

This is already public as per https://bugzilla.redhat.com/show_bug.cgi?id=1736255 and https://bugzilla.novell.com/show_bug.cgi?id=1141132 so marking this bug public too.

This bug was fixed in the package freetds - 1.00.82-2ubuntu0.1

---------------
freetds (1.00.82-2ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Heap overflow if UDT type is used with protocol 5.0
    (LP: #1835896)
    - src/tds/data.c: make sure UDT has varint set to 8.
    - 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
    - CVE-2019-13508

 -- Marc Deslauriers <email address hidden> Thu, 17 Oct 2019 13:10:03 -0400

This bug was fixed in the package freetds - 1.1.6-1ubuntu0.1

---------------
freetds (1.1.6-1ubuntu0.1) eoan-security; urgency=medium

  * SECURITY UPDATE: Heap overflow if UDT type is used with protocol 5.0
    (LP: #1835896)
    - src/tds/data.c: make sure UDT has varint set to 8.
    - 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
    - CVE-2019-13508

 -- Marc Deslauriers <email address hidden> Thu, 17 Oct 2019 13:06:35 -0400

This bug was fixed in the package freetds - 1.00.104-1ubuntu0.1

---------------
freetds (1.00.104-1ubuntu0.1) disco-security; urgency=medium

  * SECURITY UPDATE: Heap overflow if UDT type is used with protocol 5.0
    (LP: #1835896)
    - src/tds/data.c: make sure UDT has varint set to 8.
    - 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
    - CVE-2019-13508

 -- Marc Deslauriers <email address hidden> Thu, 17 Oct 2019 13:09:25 -0400

This bug was fixed in the package freetds - 1.1.6-1ubuntu1

---------------
freetds (1.1.6-1ubuntu1) focal; urgency=medium

  * SECURITY UPDATE: Heap overflow if UDT type is used with protocol 5.0
    (LP: #1835896)
    - src/tds/data.c: make sure UDT has varint set to 8.
    - 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
    - CVE-2019-13508

 -- Marc Deslauriers <email address hidden> Thu, 17 Oct 2019 13:06:35 -0400